composer install --no-dev --optimize-autoloader
An attacker simply sends a POST request to:
https://victim.com/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
With a raw POST body containing any PHP code.
Check your composer.lock for PHPUnit versions:
composer show phpunit/phpunit
If version is ≤ 4.8.28 or ≤ 5.6.3, you’re vulnerable. vendor phpunit phpunit src util php eval-stdin.php cve
Also, check if the file exists and is web-accessible:
find vendor/phpunit -name "eval-stdin.php"
Staying informed about vulnerabilities in your project's dependencies, such as PHPUnit, and regularly updating to patched versions are crucial practices. Employ secure coding practices to minimize exposure to potential threats. If you have specific concerns about a vulnerability or how to secure your application, consider consulting with a cybersecurity professional or referring to detailed guides provided by the software maintainers.
The query refers to CVE-2017-9841, a critical remote code execution (RCE) vulnerability in PHPUnit, a popular testing framework for PHP. Core Vulnerability Details
The flaw exists because the Util/PHP/eval-stdin.php file (often found at /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php) processes raw POST data using eval() without proper sanitization. With a raw POST body containing any PHP code
Impact: A remote, unauthenticated attacker can execute arbitrary PHP code by sending an HTTP POST request where the body begins with the substring.
Severity: Rated as 9.8 Critical (CVSS 3.1) because it requires no privileges or user interaction.
Condition: This is only exploitable if the /vendor directory is accessible from the web (a common misconfiguration in production environments). Affected Versions Web Attack: PHPUnit RCE CVE-2017-9841 - Broadcom Inc.
It looks like you’re referencing a specific command and a CVE related to PHPUnit, particularly the eval-stdin.php script. If version is ≤ 4
The command you mentioned resembles:
vendor/phpunit/phpunit src/util/php/eval-stdin.php
This is related to CVE-2017-9841 — a critical remote code execution (RCE) vulnerability in PHPUnit.
To mitigate such vulnerabilities:
When it comes to scripts like eval-stdin.php, which might use eval() or similar functions:
// Never do this with untrusted input
$input = file_get_contents('php://stdin');
eval($input);
// Instead, do this
$input = trim(file_get_contents('php://stdin'));
if (preg_match('/^[a-zA-Z0-9_]+$/', $input))
// For example, allow only whitelisted inputs
switch ($input)
case 'allowed_input_1':
// Execute allowed action
break;
default:
// Handle or log
break;
else
// Handle or log invalid input